Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlog
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftASICSBlue OriginHello BelloTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case studyBrowse all
LoginGet Started
Community Help

AWS RDS SSL Cert with postgres adapter

default discord avatar
sxl10111 months ago
4

Is it possible to pass an SSL certificate to the postgres adapter? I'm trying to connect to RDS over SSL as described here:

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html

I've tried passing it in the connection string with ?sslmode=require&sslrootcert=path/to/cert.pem - this works locally and is also accessible during the nextjs build, but production api routes cannot access the cert:



ENOENT: no such file or directory, open 'path/to/cert.pem'




I've had a look at the adapter but can't see where I could pass the cert as base64 directly to the adapter as you can with drizzle, something like this:


db: postgresAdapter({


pool: {


connectionString: process.env.POSTGRES_URI || '',


ssl: {


ca: sslCertAsBase64,


},


},


}),



Is this possible?



On -beta.3

  • default discord avatar
    notchr11 months ago
    @925158527847268424

    You solved this/



    Did the base64 path work?

  • default discord avatar
    sxl10111 months ago

    No, but I haven't been playing with it since this morning.



    I'm about to start tinkering again so I'll let you know how it goes

  • default discord avatar
    notchr11 months ago

    Sounds good!

  • default discord avatar
    sxl10111 months ago

    Some progress - the ssl pool options weren't working because the URI contained "sslmode=require"


    if the connection string contains any ssl settings (including sslcert, sslkey, sslrootcert, or sslmode), it overwrites the ssl object.




    const sslCert = fs.readFileSync(path/to/bundle.pem').toString() ... db: postgresAdapter({ pool: { connectionString: process.env.POSTGRES_URI || '', ssl: { rejectUnauthorized: false, ca: sslCert, }, }, }),

    The cert is now passed correctly via the ssl object and works in local development.


    The api routes still can't see the certificate bundle, but that first step I think makes the problem easier to solve.



    Ok so I encoded the bundle as base64, whacked it into env variables and converted that to a utf-8 buffer.



    const base64Cert = process.env.SSL_CERT_BASE64


    const decodedCert = Buffer.from(base64Cert || '', 'base64').toString('utf-8')



    works perfectly.



    I didn't love the solution at first - I would rather have a hot swappable .pem that gets bundled into the config, but that's probably not possible with serverless... BUT, with vercel's shared Environment Variables, I can enter this once and replicate it across multiple projects using RDS, which is nice. Also allows for easy update!

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.